Right now we're migrating to 2010 and have both servers working and up and running. Our current remote setup for our mobile users is active sync. Anytime a user connects remotely, they first hit a proxy server, which is directed to another ISA server, then to EX2003. There's one certificate with CN proxy.example.com installed on EX2003 and a matching on the ISA server, and the users are connecting with that same common name, proxy.example.com. Here's my question. We're getting rid of the proxy server and running solely on ISA 2006 (single homed), so, If I have a purchased a new third party cert with a SAN of legacy.example.com, would I..
1) Install that one both on 2003, 2010, and ISA (removing the proxy.example.com from ISA) and setup a virtual directory on 2010 and matching on 2003? Since the ISA has one nic, I can't see what else to do since I can't setup a different IP for a different server on the same web listener.
2) The ISA is virtual. I could install an additional NIC, keep users connecting through old proxy.example.com and old cert to 2003, and setup a new web listener for a different IP (or IP on same listener?) for 2010 users and attach new third party cert to it. This way when a 2003 mailbox converts to 2010, I could just have them use the new legacy.example.com at that time without a need for a virtual directory redirection? Someone else purchased the legacy certificate, so even though it's titled legacy, we can use it any way we want moving forward.
From: Taylorville, IL
If the ISA has only one nic then don't wast your time even involving it in the process. When running one nic the ISA is only capable of acting as a Web Caching Proxy. It is possible to still do Web Publishing with it,...but in my opinion it is a waste of time,...uselessly creates another point of failure to troubleshoot when it quits working,...and any security benefits are negligible at best.